Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 18:24
Static task
static1
Behavioral task
behavioral1
Sample
427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
427c26ece5cc58787ae133d0c45b6cc8
-
SHA1
20ef4eb221b550905e6b7c04a0ae9e80c25e4546
-
SHA256
2dfd4a11135512683f97ec40fb26bdb121bd5b27644b7d925b7e17aa75bac407
-
SHA512
84585c3e1ba8c64e6b6f5b4d690215aeb61d4d9adc08a34fefae962677d611abde4173fb8d3665e1b58789b76fed9bd25468264f6fc4000c8356e51944085857
-
SSDEEP
49152:SnAQJGx+TSqTdX1HkQo6SAASxJM0H9PAMEcaEau3R8yAH1plAH:+DwxcSUDk36SA7xWa9P593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3264) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1932 mssecsvc.exe 2584 mssecsvc.exe 2732 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C336E9DD-AE8C-4501-BFF3-67B424A0E7FA}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-65-ac-da-87-9b\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C336E9DD-AE8C-4501-BFF3-67B424A0E7FA}\16-65-ac-da-87-9b mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-65-ac-da-87-9b\WpadDecisionTime = e0fc6c0c2ca6da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C336E9DD-AE8C-4501-BFF3-67B424A0E7FA}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C336E9DD-AE8C-4501-BFF3-67B424A0E7FA} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C336E9DD-AE8C-4501-BFF3-67B424A0E7FA}\WpadDecisionTime = e0fc6c0c2ca6da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C336E9DD-AE8C-4501-BFF3-67B424A0E7FA}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-65-ac-da-87-9b\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-65-ac-da-87-9b mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3044 wrote to memory of 2016 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 2016 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 2016 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 2016 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 2016 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 2016 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 2016 3044 rundll32.exe rundll32.exe PID 2016 wrote to memory of 1932 2016 rundll32.exe mssecsvc.exe PID 2016 wrote to memory of 1932 2016 rundll32.exe mssecsvc.exe PID 2016 wrote to memory of 1932 2016 rundll32.exe mssecsvc.exe PID 2016 wrote to memory of 1932 2016 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1932 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2732
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57b43d71dbfb4dc8eba0e3e2a010c5a31
SHA1ebaca15297aa0a266c5ebf7f22f08891dc83903d
SHA256133c67eb527809b01c5977c560949ec03c3fb5b87c8ed4bcd38c580c8bfdbd10
SHA512dbff1d2971ffd81f1a3635b8dd6cbbc0543c4f0215f620bbdff04bbf984bf512a9891e177c14f19e5294455b25b1ca8548d532bd47971fb5eb578603ecc91349
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5aa7f6c30c24531e82018968e7aaf8138
SHA11d0723bcd706cbc0ba7b4111b4d18d549ad7a8f7
SHA256dc3fe9a318d69f41e20f378fbd3368b8b7ce30cf1fa17f8d8318612acd24c80c
SHA5122a267267bfa44f74cda7e5f58d1c994381b290ac9c0a46ea8276f60db042fb50f7ba32352478910493a4318b2e8436e9468627d2704921a1203079d3fffce0c1